This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard and Windows Hello

We are testing a Windows 10 Enterprise deployment with Safeguard 8 on a Lenovo X1 Yoga. The Bitlocker PIN works as expected and we can login normally without issue. However, when we pass through the Windows prompt with the fingerprint reader Safeguard prompts again for credentials. I read a few posts here that seem to apply to earlier versions of Safeguard, but nothing that is current. Is it possible to streamline this login process and eliminate the need for Safeguard to prompt for credentials when using the fingerprint reader?

 

David Roden 



This thread was automatically locked due to age.
  • Hi David, 

     

    In order to use the fingerprint reader at logon, you should be using the Safeguard Credential Provider, which won't show up if the fingerprint reader isn't compatible. In that case, you must enter the password at the Desktop since no credential provider was used during the Windows Logo. Please find below the KB article which has the list of compatible fingerprint readers. 

    https://community.sophos.com/kb/en-us/108789 

    Note: The X1 is listed here, but shows that only the 1st generation is supported.

     

    Also I would like to know If you are using the disk encryption only  or file encryption along with it. If File Encryption is also used, you must enter the password at the desktop or you won't have access to the encrypted files.

     

    Thanks & Regards

    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • We are using disk encryption.

     

    The Safeguard Credential Provider appears and allows us to authenticate with the fingerprint reader, but after we get to the desktop we then get the Safeguard client prompt to login. Is there something else to be changed in order to pass through the credentials? Thanks for your help.

  • Hi David, 

     

    While I check that for you, Please do check the below link and confirm that the prerequisites are met and the Fingerprint is enrolled.

    https://docs.sophos.com/esg/sgn/8-0/user/win/en-us/webhelp/index.htm#concepts/FingerPrintReader.htm 

    Thanks & Regards

    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • So, the documentation says the fingerprint reader is only supported in Windows 7. We are running Windows 10. I assume the fingerprint reader doesn't work with POA since SGN uses Bitlocker in Windows 10. But our issue seems to be with passing credentials to SGN after authenticating into Windows with the fingerprint reader. In our authentication policy the logon mode is set to userid / password, but fingerprint is an option. Will that address this issue?

     

  • Hi David,

    I am trying to replicate your Windows environment in my lab and create the issue, I will be following the instruction in the following KB article, which could possibly be our key for the solution. I Am posting the KB article here for your reference)

    https://community.sophos.com/kb/en-us/120185 

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • FormerMember
    0 FormerMember

    Hi David,

    If you use the Windows tile rather than the SafeGuard tile SafeGuard can't capture the credentials so will request them when you login.

    Always use the SGN tile and that will save you having to login twice.

    As mentioned above, fingerprint readers aren't supported any longer.

    We also don't support the MS Hello features as they're insecure and can be easily circumvented, see the release notes below:

    Not supported

    • The SafeGuard Client does not support the new Windows 8 / Windows 10 logon methods like PIN and Picture, MS Hello, Virtual Smartcards, MS Passport, etc.

    community.sophos.com/.../122335